Firewall Wizards mailing list archives
RE: Proxy 2.0 secure?
From: "Choi, Byoung" <bchoi () visa com>
Date: Fri, 26 Jun 1998 11:49:18 -0700
beside the size, nt protocol stack is substantially less mature than unix code - it often kills the machine when it receives malformed packets, particularly faulty IP fragmemts ( i don't know what new fixes ms came out with, but last time i tried - couple of weeks ago - I found at least three types of hacks generating malformed packets that knocked out NT boxes with all the patches available from ms) such malformed packets can be generated by mistakes by other hosts, not necessarily with malicious intents, and, in order to call nt protocol stack a working piece of code, it must handle these degenerates properly, at least not killing the machine. (just to note, i had "hardened" the nt box by taking out just about all nt-specific services, with only tcp/ip protocol, and all ports diabled except a few open for dedicated application purposes. the machine choked even when the degenerate packets were addressed to ports that were supposedly "disabled" ! ) i ran the same test against unix boxes, and they didn't budge - not surprising, since they had decades to sort out these little bugs. same buggy problem afflicts linux, which is also relatively new like nt, but with its source being open, bug report and fixes come out much quicker than those for nt, and you can examine for yourself that the fix is a real fix, not a bandaid solution, with the open source (and open patch as well). with the proxy running on nt, it wouldn't matter how good the proxy code is, if the underlying OS chokes up. if you are security/availability conscious, it would be a good idea to keep nt boxes outta net segments exposed to the Net. i heard that ms bought reliable, time-tested source for protocol stack from a third party for their nt release 5, and perhaps buggy protocol stack problem will be less of an issue with nt 5, but until then, i would keep nt boxes out of the Net if i want them stay up and be useful. b- ---------- From: Mark Horn [ Net Ops ] Sent: Thursday, June 25, 1998 6:53 AM To: Gillian Steele Cc: Stout, Bill; Firewall-wizards Subject: Re: Proxy 2.0 secure? Gillian Steele says: >Personally, I'm willing to put my faith in those magazines that actually do >real-world testing, to back up their claims, and the claims of Data >Communications about the "soundness" of the NT-based Firewalls, including >MSP 2.0 seem sound enough to me. NT is a pretty big operating system that is tied to its very big user interface. That's a *LOT* of code containing a number of bugs commensurate with the code's size. Bellovin's "Fundamental Theorem of Firewalls" says that's a problem. The idea is that since all code has bugs, the best way to reduce bugs (i.e. security holes) in a firewall is run the firewall with the least amount of code possible. It is exceedingly difficult to do that with NT. So, from my perspective, it doesn't matter what firewall software is running on NT. It will always be more susceptable to bugs than equivalent software running on a trimmed down unix. Until you can remove the bloated GUI from NT, your stuck with its known and unknown bugs - all of which, on a firewall, are security holes. -- Mark Horn <mhornNOSPAM () nospam funb com> PGP Public Key available at: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1
Current thread:
- RE: Proxy 2.0 secure?, (continued)
- RE: Proxy 2.0 secure? ark (Jun 25)
- RE: Proxy 2.0 secure? Stout, Bill (Jun 25)
- Re: Proxy 2.0 secure? Brian Steele (Jun 25)
- Re: Proxy 2.0 secure? Brian Steele (Jun 25)
- Re: Proxy 2.0 secure? tqbf (Jun 26)
- Re: Proxy 2.0 secure? Vanja Hrustic (Jun 26)
- Re: Proxy 2.0 secure? Brian Steele (Jun 25)
- Re: Proxy 2.0 secure? tqbf (Jun 26)
- Re: Proxy 2.0 secure? Kjell Wooding (Jun 26)
- Re: Proxy 2.0 secure? ark (Jun 26)
- RE: Proxy 2.0 secure? Choi, Byoung (Jun 26)
- Re: Proxy 2.0 secure? Gillian Steele (Jun 26)
- Re: Proxy 2.0 secure? Ted Doty (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 26)
- Re: Proxy 2.0 secure? Brian Steele (Jun 28)
- Re: Proxy 2.0 secure? Rodney van den Oever (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? ark (Jun 29)
- Re: Proxy 2.0 secure? John McDermott (Jun 29)
- Re: Proxy 2.0 secure? Brian Steele (Jun 29)
- Re: Proxy 2.0 secure? NetSurfer (Jun 30)
(Thread continues...)